## Self-signed certificates and Elliptic Curve Cryptography

There are many reasons to self-sign SSL certificates, but we find them particularly useful for staging sites and in the early stages of a project. We have a three command guide to self-signing an SSL certificate if you aren’t interested in ECC.

If you also are interested in ECC, you may know that the main reason for using elliptic curves as the basis for communication over SSL is the small key size – where regular DSA would require 1024 bits, ECDSA (the elliptic-curve variant of DSA) would require about 160 bits. The computational power required for communication over ECDSA is also less.

This is only likely to matter in embedded systems or other highly-constrained environments.

If you also are considering specifically using an ECDSA certificate like the one generated here with OpenSSL, it is probably worth reading a more detailed description by Bruce Schneier. If you are sure you want an ECC-based certificate, doing so is just as easy as any other self-signed certificate with OpenSSL, provided that your version supports ECDSA. The commands below have been verified to work on CentOS 7/8.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | [~/soft/openssl] $ rpm -qa | egrep openssl-1 openssl-1.0.2k-19.el7.x86_64 $ openssl ecparam -genkey -name prime256v1 -out ecserver.key && cat ecserver.key -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEIOuLAy2s1bURhMP0J0PHCexHz0p7Yh6WpBV9SEhNDWB1oAoGCCqGSM49 AwEHoUQDQgAESzx/1ujyuv5RissYU54S0CoxQNGluZDrlzJrSm0wUEDmPr51stxc yIdYNUAqVSR6C2ZeFmJwkb76Oj2QXXaxFQ== -----END EC PRIVATE KEY----- $ openssl req -new -sha256 -key ecserver.key -out ecserver.csr -subj /CN=localhost.localdomain && cat ecserver.csr -----BEGIN CERTIFICATE REQUEST----- MIHbMIGCAgEAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjBZMBMG ByqGSM49AgEGCCqGSM49AwEHA0IABEs8f9bo8rr+UYrLGFOeEtAqMUDRpbmQ65cy a0ptMFBA5j6+dbLcXMiHWDVAKlUkegtmXhZicJG++jo9kF12sRWgADAKBggqhkjO PQQDAgNIADBFAiEAvkXur194Hu/a5y/zAlhhl1PrrvxEqL6hUJDYIHOAtH0CIHOL OPc1zwJIzB20Wx9JcWeMFRR/Oy18SdQK2nQENRir -----END CERTIFICATE REQUEST----- $ openssl req -x509 -sha256 -days 3650 -key ecserver.key -in ecserver.csr -out ecserver.crt && cat ecserver.crt -----BEGIN CERTIFICATE----- MIIBhjCCAS2gAwIBAgIJAPLPlwIZxiV0MAoGCCqGSM49BAMCMCAxHjAcBgNVBAMM FWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDA5MTgxMDI3NDdaFw0zMDA5MTYx MDI3NDdaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjBZMBMGByqG SM49AgEGCCqGSM49AwEHA0IABEs8f9bo8rr+UYrLGFOeEtAqMUDRpbmQ65cya0pt MFBA5j6+dbLcXMiHWDVAKlUkegtmXhZicJG++jo9kF12sRWjUDBOMB0GA1UdDgQW BBQwsKzj+uznGUk7vAkZYPGXEjcYxjAfBgNVHSMEGDAWgBQwsKzj+uznGUk7vAkZ YPGXEjcYxjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIHJXRLguTYCn DkxWfsST5mx7AvT1cHOg2C15zXqsEGD+AiAaQlnjNBMotMd0toJ7jSXQbTYKJk2F WnKdBqxMlo2VRQ== -----END CERTIFICATE----- $ ls -1 ecserver.crt ecserver.csr ecserver.key |

The first command is the only one specific to elliptic curves. It generates a private key using a standard elliptic curve over a 256 bit prime field. You can list all available curves using:

1 | openssl ecparam -list_curves |

or you can use prime256v1.

The second command generates a Certificate Signing Request and the third generates a self-signed x509 certificate suitable for use on web servers.

If you’re interested in elliptic curve cryptography, Wikipedia has a good introduction that includes the math behind it, as well as more specific information on ECDSA in particular. As usual, there are good links from there to learn more.